This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Segfault when using store-context AST node in a load context
Type: crash Stage: resolved
Components: Library (Lib) Versions: Python 2.7
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: benjamin.peterson, xmorel, xtreak
Priority: normal Keywords:

Created on 2015-08-08 14:03 by xmorel, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (4)
msg248269 - (view) Author: Xavier Morel (xmorel) * Date: 2015-08-08 14:03
It looks to be fixed in 3.3 and up, but in Python 2.7

    import ast
    m = ast.Module(body=[
        ast.Expr(value=ast.Name(id='foo', ctx=ast.Store()))
    ])
    ast.fix_missing_locations(m)
    code = compile(m, '', mode='exec')
    eval(code)
 
will segfault on eval. So will a similarly incorrect ast.Attribute node.

Version tested:

Python 2.7.10 (default, May 28 2015, 12:02:55) 
[GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.57)] on darwin
msg325987 - (view) Author: Karthikeyan Singaravelan (xtreak) * (Python committer) Date: 2018-09-21 12:46
Thanks for the script. The crash is still reproducible as of now with at least python 2.7.14 . I need to check on the latest 2.7 branch yet.

On python 3 it produces an error as below : 

Traceback (most recent call last):
  File "../backups/bpo24828.py", line 6, in <module>
    code = compile(m, '', mode='exec')
ValueError: expression must have Load context but has Store instead

Crash report on Mac OS

MacOS/Python
Identifier:            Python
Version:               2.7.14 (2.7.14)
Code Type:             X86-64 (Native)
Parent Process:        zsh [13087]
Responsible:           iTerm2 [230]
User ID:               501

Date/Time:             2018-09-21 18:13:27.072 +0530
OS Version:            Mac OS X 10.10.4 (14E46)
Report Version:        11
Anonymous UUID:        BCB9DD4C-B310-CA87-7308-42F6715FDA83

Sleep/Wake UUID:       FA788657-D625-40D6-8701-16E042836F5F

Time Awake Since Boot: 24000 seconds
Time Since Wake:       14000 seconds

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000

VM Regions Near 0:
--> 
    __TEXT                 00000001075be000-00000001075c0000 [    8K] r-x/rwx SM=COW  /usr/local/Cellar/python@2/2.7.14_3/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   org.python.python             	0x00000001075fc8bb dict_set_item_by_hash_or_entry + 14
1   org.python.python             	0x000000010764fa63 PyEval_EvalFrameEx + 14664
2   org.python.python             	0x000000010764bf29 PyEval_EvalCodeEx + 1583
3   org.python.python             	0x000000010764b8f4 PyEval_EvalCode + 54
4   org.python.python             	0x0000000107647fdc builtin_eval + 570
5   org.python.python             	0x00000001076527c8 PyEval_EvalFrameEx + 26285
6   org.python.python             	0x000000010764bf29 PyEval_EvalCodeEx + 1583
7   org.python.python             	0x000000010764b8f4 PyEval_EvalCode + 54
8   org.python.python             	0x000000010766f05d run_mod + 53
9   org.python.python             	0x000000010766f100 PyRun_FileExFlags + 133
10  org.python.python             	0x000000010766ec4f PyRun_SimpleFileExFlags + 698
11  org.python.python             	0x00000001076805f9 Py_Main + 3137
12  libdyld.dylib                 	0x00007fff9354a5c9 start + 1

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0xc6079cb3d3de86bb  rbx: 0x00000001077d3168  rcx: 0x0000000000000000  rdx: 0xc6079cb3d3de86bb
  rdi: 0x00000001077d3168  rsi: 0x00000001078f4a08  rbp: 0x00007fff586410d0  rsp: 0x00007fff586410c0
   r8: 0x0000000000000000   r9: 0x0000000000000000  r10: 0x0000000000000001  r11: 0x000000000024e797
  r12: 0x0000000107871a00  r13: 0x0000000107871b70  r14: 0x0000000000000008  r15: 0x00000001078f4a08
  rip: 0x00000001075fc8bb  rfl: 0x0000000000010206  cr2: 0x0000000000000000


Thanks
msg326079 - (view) Author: Karthikeyan Singaravelan (xtreak) * (Python committer) Date: 2018-09-22 07:16
Reproducible on latest 2.7 branch as well. Stack trace as below : 

Program received signal SIGSEGV, Segmentation fault.
dict_set_item_by_hash_or_entry (
    op={'code': <code at remote 0x10059cc30>, 'ast': <module at remote 0x1005ab868>, '__builtins__': <module at remote 0x10023db08>, '__file__': '../backups/bpo24828.py', 'm': <Module(body=[<Expr(lineno=1, value=<Name(ctx=<Store at remote 0x1005a5f10>, id='foo', col_offset=0, lineno=1) at remote 0x1005c2790>, col_offset=0) at remote 0x1005c27d0>]) at remote 0x1005c2810>, '__package__': None, '__name__': '__main__', '__doc__': None}, key=<optimized out>, hash=<optimized out>,
    value=<optimized out>, ep=<optimized out>) at Objects/dictobject.c:792
792	    Py_INCREF(value);
(gdb) bt
#0  dict_set_item_by_hash_or_entry (op={'code': <code at remote 0x10059cc30>, 'ast': <module at remote 0x1005ab868>, '__builtins__': <module at remote 0x10023db08>, '__file__': '../backups/bpo24828.py', 'm': <Module(body=[<Expr(lineno=1, value=<Name(ctx=<Store at remote 0x1005a5f10>, id='foo', col_offset=0, lineno=1) at remote 0x1005c2790>, col_offset=0) at remote 0x1005c27d0>]) at remote 0x1005c2810>, '__package__': None, '__name__': '__main__', '__doc__': None}, key=<optimized out>, hash=<optimized out>, value=<optimized out>, ep=<optimized out>) at Objects/dictobject.c:792
#1  PyDict_SetItem (op={'code': <code at remote 0x10059cc30>, 'ast': <module at remote 0x1005ab868>, '__builtins__': <module at remote 0x10023db08>, '__file__': '../backups/bpo24828.py', 'm': <Module(body=[<Expr(lineno=1, value=<Name(ctx=<Store at remote 0x1005a5f10>, id='foo', col_offset=0, lineno=1) at remote 0x1005c2790>, col_offset=0) at remote 0x1005c27d0>]) at remote 0x1005c2810>, '__package__': None, '__name__': '__main__', '__doc__': None}, key='foo', value=0x0) at Objects/dictobject.c:848
#2  0x00000001000ab62e in PyEval_EvalFrameEx (f=<unknown at remote 0x8>, throwflag=<optimized out>) at Python/ceval.c:2186
#3  0x00000001000a735a in PyEval_EvalCodeEx (co=<optimized out>, globals=<optimized out>, locals=<optimized out>, args=0x0, argcount=<optimized out>, kws=<optimized out>, kwcount=<optimized out>, defs=0x0, defcount=<optimized out>, closure=<optimized out>) at Python/ceval.c:3604
#4  0x00000001000a6cb6 in PyEval_EvalCode (co=0x100293168, globals='foo', locals=0x0) at Python/ceval.c:669
#5  0x00000001000a302a in builtin_eval (self={'code': <code at remote 0x10059cc30>, 'ast': <module at remote 0x1005ab868>, '__builtins__': <module at remote 0x10023db08>, '__file__': '../backups/bpo24828.py', 'm': <Module(body=[<Expr(lineno=1, value=<Name(ctx=<Store at remote 0x1005a5f10>, id='foo', col_offset=0, lineno=1) at remote 0x1005c2790>, col_offset=0) at remote 0x1005c27d0>]) at remote 0x1005c2810>, '__package__': None, '__name__': '__main__', '__doc__': None}, args=<optimized out>) at Python/bltinmodule.c:679
#6  0x00000001000ae8a7 in call_function (oparg=<optimized out>, pp_stack=<optimized out>) at Python/ceval.c:4372
#7  PyEval_EvalFrameEx (f=Frame 0x1002d4bc0, for file ../backups/bpo24828.py, line 7, in <module> (), throwflag=<optimized out>) at Python/ceval.c:3009
#8  0x00000001000a735a in PyEval_EvalCodeEx (co=<optimized out>, globals=<optimized out>, locals=<optimized out>, args=0x0, argcount=<optimized out>, kws=<optimized out>, kwcount=<optimized out>, defs=0x0, defcount=<optimized out>, closure=<optimized out>) at Python/ceval.c:3604
#9  0x00000001000a6cb6 in PyEval_EvalCode (co=0x100293168, globals='foo', locals=0x0) at Python/ceval.c:669
#10 0x00000001000d4de4 in run_mod (mod=<optimized out>, filename=<optimized out>, globals={'code': <code at remote 0x10059cc30>, 'ast': <module at remote 0x1005ab868>, '__builtins__': <module at remote 0x10023db08>, '__file__': '../backups/bpo24828.py', 'm': <Module(body=[<Expr(lineno=1, value=<Name(ctx=<Store at remote 0x1005a5f10>, id='foo', col_offset=0, lineno=1) at remote 0x1005c2790>, col_offset=0) at remote 0x1005c27d0>]) at remote 0x1005c2810>, '__package__': None, '__name__': '__main__', '__doc__': None}, locals={'code': <code at remote 0x10059cc30>, 'ast': <module at remote 0x1005ab868>, '__builtins__': <module at remote 0x10023db08>, '__file__': '../backups/bpo24828.py', 'm': <Module(body=[<Expr(lineno=1, value=<Name(ctx=<Store at remote 0x1005a5f10>, id='foo', col_offset=0, lineno=1) at remote 0x1005c2790>, col_offset=0) at remote 0x1005c27d0>]) at remote 0x1005c2810>, '__package__': None, '__name__': '__main__', '__doc__': None}, flags=<optimized out>, arena=<optimized out>) at Python/pythonrun.c:1385
#11 PyRun_FileExFlags (fp=<optimized out>, filename=<optimized out>, start=<optimized out>, globals={'code': <code at remote 0x10059cc30>, 'ast': <module at remote 0x1005ab868>, '__builtins__': <module at remote 0x10023db08>, '__file__': '../backups/bpo24828.py', 'm': <Module(body=[<Expr(lineno=1, value=<Name(ctx=<Store at remote 0x1005a5f10>, id='foo', col_offset=0, lineno=1) at remote 0x1005c2790>, col_offset=0) at remote 0x1005c27d0>]) at remote 0x1005c2810>, '__package__': None, '__name__': '__main__', '__doc__': None}, locals={'code': <code at remote 0x10059cc30>, 'ast': <module at remote 0x1005ab868>, '__builtins__': <module at remote 0x10023db08>, '__file__': '../backups/bpo24828.py', 'm': <Module(body=[<Expr(lineno=1, value=<Name(ctx=<Store at remote 0x1005a5f10>, id='foo', col_offset=0, lineno=1) at remote 0x1005c2790>, col_offset=0) at remote 0x1005c27d0>]) at remote 0x1005c2810>, '__package__': None, '__name__': '__main__', '__doc__': None}, closeit=1, flags=<optimized out>) at Python/pythonrun.c:1371
#12 0x00000001000d491a in PyRun_SimpleFileExFlags (fp=0x7fff71bec070, filename=0xc6079cb3d3de86bb <error: Cannot access memory at address 0xc6079cb3d3de86bb>, closeit=8, flags=0x7fff5fbffa70) at Python/pythonrun.c:957
#13 0x00000001000ea8f2 in Py_Main (argc=<optimized out>, argv=<optimized out>) at Modules/main.c:645
#14 0x00007fff8b5055c9 in start () from /usr/lib/system/libdyld.dylib
#15 0x00007fff8b5055c9 in start () from /usr/lib/system/libdyld.dylib
#16 0x0000000000000000 in ?? ()


Adding Benjamin since he is the 2.7 release manager and it's something specific to 2.7.


Thanks
msg378704 - (view) Author: Xavier Morel (xmorel) * Date: 2020-10-16 06:04
Should I close this since I believe 2.7 is not supported anymore?
History
Date User Action Args
2022-04-11 14:58:19adminsetgithub: 69016
2020-10-16 12:32:50serhiy.storchakasetstatus: open -> closed
resolution: out of date
stage: resolved
2020-10-16 06:04:32xmorelsetmessages: + msg378704
2018-11-21 08:00:59serhiy.storchakasetversions: - Python 3.2
2018-09-22 07:16:22xtreaksetnosy: + benjamin.peterson
messages: + msg326079
2018-09-21 12:46:09xtreaksetnosy: + xtreak
messages: + msg325987
2015-08-08 14:03:34xmorelcreate